How to Use Reverse SSH Tunnel to Allow External Connections to Your PC

If you’re lucky enough that your Internet Service Provider (ISP) gives you a dedicated IP address, you can set up a home server and make it available to the Internet by adding a few port forwarding rules to your router. But if your ISP makes you share that IP with your neighbors, then port forwarding won’t help. Other providers simply block incoming connections through firewall rules.

You can bypass all of these restrictions with the help of a virtual private server. Anything will work, even if it has less than 512MB of RAM, as all it has to do is redirect network traffic. This is very light on CPU and RAM. The server will receive incoming connections and redirect them to your computer through what is called a “reverse SSH tunnel.” This way you can set up any kind of home server, with very small monthly costs.

Imagine you create a NextCloud server to upload/synchronize your files. You get the privacy of having those files on your home server, and then you can buy a 6TB hard drive to get all the space you need. You only have to pay a monthly electricity bill and less than $5/month for a virtual private server. That’s way cheaper than the monthly bill for a server with 6TB of space.

Note: This only works for redirecting TCP network traffic. TCP is used by things such as web servers (port 80/tcp). UDP is used by some (not all) game servers, for example Counter Strike (port 27015/UDP). UDP tunneling is possible, but with some “hacks,” which may be the topic of a future tutorial.

Windows 10 Now Has a Built-in SSH Client

There’s no need to use PuTTY anymore to initiate SSH connections. In fact, for this tutorial you will actually use this built-in client to set up the tunnel. Read the tutorial about Windows 10’s OpenSSH client if you’re not already familiar with it.

Prepare Virtual Private Server to Tunnel Connections

Create a Virtual Private Server with your favorite provider, like DigitalOcean, Linode, Vultr, or whatever else you prefer. The most important thing is to choose a server location that is as close to you as possible to minimize network latency. Try to set up the server in such a way that you get to log in to the root account directly, preferably with an SSH key, as it’s more secure. This is required if you want to make the server listen to connections coming on ports below 1024, so-called privileged ports.

Open command prompt (or a terminal if you’re on Linux), and log in to the server through SSH.

Edit OpenSSH server settings:

nano/etc/ssh/sshd_config

If you didn’t log in as root but as a regular user, you will need to use this command, otherwise you won’t be able to save the file:

sudonano/etc/ssh/sshd_config

Scroll down until you find a variable called “GatewayPorts.” The line may look like this: #GatewayPorts no. Delete the preceding “#” (to uncomment) and change the line to GatewayPorts yes.

If you can’t find the line, just scroll down to the end and add the line yourself:

GatewayPorts yes

Press Ctrl + X, then press y, and finally Enter to save the file.

Reload the SSH daemon so it picks up on the new setting.

systemctl reload ssh.service

Exit from the SSH session.

exit

How to Set Up a Reverse SSH Tunnel

The command parameters are the same on Linux, Windows, and even BSD operating systems. The general syntax is:

ssh-R remote_port:host:localport your_username@IP-of-server

remote_port tells the server to redirect connections that come to it on that port.

host tells the server at what IP address the connection should be redirected to. 127.0.0.1 will be used here to redirect to your own computer.

localport instructs what port data packets should be redirected to. Here, you should put the port number that your application, installed on your local computer, listens on.

For example, to forward all connections that come on port 80 (to the server) and send them to port 8080 on your local computer, the command would be:

ssh-R80:127.0.0.1:8080 root@203.0.113.1

This assumes that you have a web server, like Apache or Nginx, that listens on port 8080 on your local machine. But if Apache/Nginx is listening on the default port 80, then there is no problem using the same port twice in the previous command (since they are referring to port 80 in a different server).

ssh-R80:127.0.0.1:80 root@203.0.113.1

At this point, if someone enters the IP address of your virtual private server in the address bar of a browser, their connection would be redirected and served by your local computer.

In the picture above, a simple web server for Chrome was used that listens on port 8887 by default. You can try this setup yourself by installing the app and then using the command, as in the picture.

It’s worth mentioning that to keep the tunnel active, your SSH session must remain active. To close the tunnel, type exit in the terminal/command prompt window.

Conclusion

As you can see, it’s not hard to create a reverse SSH tunnel, but securing a website is. So if you choose to implement an idea like a local NextCloud server, isolate it in a virtual machine at least. This way, if your website gets compromised, at least the rest of your operating system will be unharmed.